By the way, this is another problem:

“I know with certainty (because I trust my system) that for that system to be compromised, the web service itself must first be compromised.”

This is soccer-goal security and it will end up biting you.

Its not soccer goal security, its risk management and you glazed over everything preceding that line and took it out of context.

Here’s the bit you glazed over;

However, before I ever put the system into production I have done and documented my due diligence; I patched and hardened the OS, I installed and actively tune HIPS software, etc, etc.

I’ve not only put extra goalies in front of the goal (HIPS, emphasis on the “P”), but I’ve made the goal smaller (OS hardening), and also installed TV cameras, seismographs, and bad oder detectors (all in the HIPS).

I doubt Richard was implying that he goes through this process for every alert he receives. I think his goal was to explain the steps that can be taking when the data is made available via NSM.

I understand now that he didn’t intend to imply NSM works for the entire range of incidents. My main argument at this point is the example he used. It doesn’t help his explanation, at least it doesn’t for me. For me it took away from the effectiveness of his explanation, pretty thoroughly.

What about organizations where the responsiblity of server adminstration, FWs, and information security isn’t a one man shop?

Operational standards, documented procedures, and routine internal audits neatly address that situation.

What if the organization has business units spread across the country and are trying to take advantage of scale buy using a shared services model for specialized skills like information security while the individual business units still maintain their own pc’s, servers, and network?

Again, operational standards, documented procedures, and routine internal audits neatly address that situation as well. I happen to work for a company that fits your description and it works swimmingly for us.

I find it interesting that the Richard’s whole process was initiated by an alert, but Richard is arguing against alert-based systems.

Yeah, I could have done better with that one.

The process you followed works fine for you, but there are a number of conditions that can make those steps tough or nearly impossible for many organinzations. In your post you mention how you harden and manage “your firewalls” and “your webserver”. What about organizations where the responsiblity of server adminstration, FWs, and information security isn’t a one man shop? What if the organization has business units spread across the country and are trying to take advantage of scale buy using a shared services model for specialized skills like information security while the individual business units still maintain their own pc’s, servers, and network?

I find it interesting that the Richard’s whole process was initiated by an alert, but Richard is arguing against alert-based systems.

I am not even sure how to respond to that. Alerts are one of the four data
types that Rich requires when he defines NSM (alert, stats, session, and full
content). With Sguil we are trying to create work flow that supports event
driven analysis. The majority of that time, an alert is the driver.

Finally, I don’t think anyone is getting defensive or is feeling they are being attacked, I just think your post included a bit of misinformation.

Below is what I also posted on your blog:

I think you’ve gotten a bit defensive. You said yourself you expect people to challenge the real world usefulness of NSM.

You provided an incident and clearly stated it was an example of how NSM is to be done. Granted you said it was a trivial example but its still a poor example to make your point because the example doesn’t indicate an attack (at any level) and you spent too much time in your investigative process making a decision about the incident.

It would have been better to provide fictional data or even a staged attack to better demonstrate the process.

Your opening paragraph indicated you were interested in how others find the answer to the problem ‘how do I know what happened…”

I thought you seriously wanted to know.

“I know with certainty (because I trust my system) that for that system to be compromised, the web service itself must first be compromised.”

This is soccer-goal security and it will end up biting you.

I saw your test post and have some questions, but I can’t find out how to contact you?!

Also, if you took this:

http://www.flickr.com/photo_zoom.gne?id=371144567&size=o

It’s awesome. I’m adding it into my rotation of backgrounds on my Macbook.